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[57] ABSTRACT 

Providing a firewall for isolating network elements from a 
publicly accessible network to which such network elements 
are attached. The firewall operates on a stand alone com- 
puter connected between the public network and the network 
elements to be protected such that all access to the protected 
network elements must go through the firewall. The firewall 
application running on the stand alone computer is prefer- 
ably the only application running on that machine. The 
application includes a variety of proxy agents that are 
specifically assigned to an incoming request in accordance 
with the service protocol (i.e., port number) indicated in the 
incoming access request. An assigned proxy agent verifies 
the authority of an incoming request to access a network 
element indicated in the request. Once verified, the proxy 
agent completes the connection to the protected network 
element on behalf of the source of the incoming request. 

36 Claims, 5 Drawing Sheets 
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FIREWALL SYSTEM FOR PROTECTING facilities of an Internet Service Provider (ISP). The assignee 

NETWORK ELEMENTS CONNECTED TO A of the present application, Scientific Research Management 

PUBLIC NETWORK Corporation (SRMC), is an Internet Service Provider. 

nApLrrDnTiMn ^ se °^ a com P anv ' s computing system for support of a 

BACKGROUND s pu t,li c ly accessible system, such as a Web site, can present 

The present invention relates to a system for protecting a threat to the company's internal systems that share the 

network elements connected to a public network from access same computing platform, or are connected to the publicly 

over the public network, and more specifically, to a firewall accessible computing platform. Furthermore, in cases where 

system for protecting network elements connected to the sensitive information is transmitted over the Internet to a 

Internet. 10 company, such information is usually stored on the same 

The Internet has experienced, and will continue to computing system that is used for running the on-line 
experience, explosive growth. As originally designed, the Internet system. For instance, some businesses now publish 
Internet was to provide a means for communicating infor- homepage catalogs offering services and products for sale. A 
mation between public institutions, particularly universities, user can select products or services from a homepage 
in a semi-secure manner to facilitate the transfer of research 15 catalog in an interactive session. After selecting the desired 
information. However, with the development and provision products or services, the homepage may present a payment 
of user friendly tools for accessing the Internet, such as the screen inviting the user enter credit card information. Han- 
World Wide Web (the Web), the public at large is increas- dung of such information over a public network such as the 
ingly turning to the Internet as a source of information and Internet, requires some measure of security to prevent the 
as a means for communicating. 20 information from being intercepted. However, a more 

The Internet's success is based, in part, on its support of important consideration is maintaining the security of such 
a wide variety of protocols that allows different computers information once it is received and stored in a computing 
and computing systems to communicate with each other. All s y stem that 15 connected to the Internet, 
of the Internet-compatible protocols, however, find some Most computer crime is not in the form of data 
basis in the two original Internet protocols: TCP interception, but involves a network intruder, or "hacker" 
(Transmission Control Protocol) and IP (Internet Protocol). entering a publicly-accessible computing system and sub- 
Internet protocols operate by breaking up a data stream into verting security systems to access stored information. In the 
data packets. Each of data packet includes a data portion and recent past there have been several publicized cases where 
address information. The IP is responsible for transmitting 30 hackers have stolen proprietary information from purport- 
the data packets from the sender to the receiver over a most edly secure computers over the Internet, 
efficient route. The TCP is responsible for flow management In many cases where a publicly accessible application, 
and for ensuring that packet information is correct. None of such as a homepage, is set up on a business or institution's 
the protocols currently supported on the Internet, however, premises, it is grafted onto an existing computing system, 
provides a great degree of security. This factor has hindered 3S The existing system also may contain other computing 
the growth of commercial services on the Internet. resources such as data bases, and/or internal network sys- 

The government, in learning of the Internet's limited terns that are not intended for public access. Provision of a 

transmission security capacity, has resorted to encoding publicly accessible on-line system, such as a Web server, on 

secure messages using complex encryption schemes. The such a system can provide a scenario that can be exploited 

government abandoned consideration of the Internet for high 40 by hackers who may attempt to reach systems beyond the 

security information, relying instead on privately operated Web server using it, or other systems bundled on the 

government networks. The general public, without such computing platform, as access paths. A company or institu- 

concerns, has come to increasingly use the Internet. tion may attempt to protect these surrounding systems by 

Furthermore, businesses having recognized the increasing password protecting them, or by concealing them from the 

public use of, and access to the Internet, have turned to it as AS public with a system called a firewall, 

a marketing mechanism through which to disseminate infor- Password protected systems are well known. However, a 

mation about their products, services and policies. password prompt announces the presence of proprietary 

A popular way for commercial institutions to supply systems and may be an invitation for a hacker to investigate 

information over the Internet is to establish a homepage on further. Because password systems are widely known, they 

an Internet multi-media service known as the World Wide 50 are somewhat susceptible to hackers who have developed 

Web. The World Wide Web ("Web") provides a user- techniques for cracking, bypassing or subverting them, 

accessible platform that supplies information in text, audio, Using conventional desktop computers, hackers have been 

graphic, and video formats. Each homepage document can known to decipher passwords of reasonable lengths in a very 

contain embedded references to various media. A Web user short period of time. Provision of longer passwords may 

can interactively browse information by responding to entry 55 thwart a hacker's attempts, but at the expense of user 

prompts nested in a screen within a homepage. Web docu- convenience. 

ments are accessed by using a TCP/IP compatible protocol The term "firewall" was coined in the computer network 
called HyperText Transfer Protocol (HTTP). A user logged environment to describe a system for isolating an internal 
onto the Internet can access a "Web site" by supplying the network, and/or computers, from access through a public 
Web site's address (e.g., "http://srmc.com"). Entry of such 60 network to which the internal network or computers are 
an address establishes a session between the user and the attached. The purpose of a firewall is to allow network 
Web site. elements to be attached to, and thereby access, a public 
Provision of a Web homepage involves establishing a user network without rendering the network elements susceptible 
accessible file at a Web site. The Web site can be established to access from the public network. A successful firewall 
on a computing system on the premises of the business or 65 allows for the network elements to communicate and trans- 
institution providing the homepage, or by contracting to act with the public network elements without rendering the 
have the homepage built and supported on the computing network elements susceptible to attack or unauthorized 
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inquiry over the public network. As used herein, the term 
"network element" can refer to network routers, computers, 
servers, databases, hosts, modems, or like devices that are 
typically associated with a computer network. 

One technique used by firewalls to protect network ele- s 
ments is known as "packet filtering." A packet filter inves- 
tigates address information contained in a data packet to 
determine whether the packet machine, from which the 
packet originated, is on a list of disallowed addresses. If the 
address is on the list, the packet is not allowed to pass. 10 

One problem with packet filtering is that when unknown 
address information is encountered in the filtering check 
(i.e., the packet's address is not on the list), the packet is 
usually allowed to pass. This practice of allowing unknown 
packets to pass is based on an Internet design philosophy 15 
that promotes the ease of information transfer. Hence, most 
firewall systems utilizing packet filtering operate on an 
"allow to pass unless specifically restricted" basis. This 
practice is invoked with the perception that the packet will 
eventually be recognized and appropriately routed down 20 
stream of the packet filter. However this practice provides 
hackers with a means with which to bypass a packet filter. 

Hackers have developed a technique known as "source 
based routing/' "packet spoofing," or "IP spoofing" wherein ^ 
address information within a fabricated packet is manipu- 
lated to bypass a packet filter. All network elements that are 
addressable over the Internet have an address consisting of 
four octets separated by periods. Each of the octets is ao 
eight bit sequence representing a decimal number between 3Q 
zero and 255. A host computer on the Internet might have an 
IP address: 19.137.96.1. Source based routing involves a 
hacker inserting an address of a machine that resides 
"behind" a firewall into the source address field of a ficti- 
tious packet. Such a packet can usually pass through a 35 
firewall because most firewalls are transparent to messages 
that originate from behind the firewall, because the firewall 
assumes that such messages are inherently valid. To prevent 
this type of packet spoofing, the packet filter's list of 
disallowed addresses includes the addresses of elements 4Q 
residing behind the firewall. 

Another packet spoofing technique involves setting the 
"session_active" bit of a packet. By setting this bit in a 
packet, a packet filter receiving the packet assumes that a 
valid session has already been established, and that further 45 
packet filtering checks are not necessary, thereby allowing 
the packet to pass. A spoofed packet having its session_ 
active bit set can contain an "establish connection" message. 
Such a packet can be used to establish a session with a 
machine behind the firewall. SQ 

Additional packet filtering techniques involve investiga- 
tions of data portions of packet to determine whether there 
are any suspect contents, and or investigations of suspect 
protocol designations. However, the drawback of these and 
the aforementioned packet filtering schemes is that, when 55 
used in combination, they are cumbersome. This practice 
impairs the speed with which packet filters do their job. 

Conventional firewalls also may use an application 
gateway, or proxy system. These systems operate on the 
basis of an application, or a computing platform's operating 60 
system (OS), monitoring "ports" receiving incoming con- 
nection requests. A port is a numerically designated element 
contained in the overhead of a packet. A port number 
indicates the nature of a service associated with a packet. For 
example, a packet associated with the Telnet service has a 65 
port number of 23, and the HTTP service is assigned port 
number 80, These port number designations are merely 
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industry suggested, a packet containing a port designation of 
23 need not necessarily be associated with Telnet services. 
When the OS or monitoring application receives a request 
on a particular port, a connection is opened on that port. A 
program for managing the connection is then initiated, and 
the firewall starts a gateway application, or proxy, that 
validates the connection request. However, such a system is 
vulnerable and inefficient because of the resource intensive 
nature of the processes involved. 

Hackers have been known to inundate a port with large 
numbers of slightly varying access requests in an attempt to 
slip a packet by an application gateway or proxy. This 
method of attack is known as a "denial of service attack." 
The typical response to such an attack is to have the OS shut 
down the targeted port for a period of time. This defense 
response is necessitated by the inefficiency of conventional 
port processing. The chain of processes associated with 
monitoring, managing, and verifying port connections is 
very inefficient. A denial of service attack can unduly burden 
system resources. Consequently, the conventional defense is 
to have the OS shut down the port for a period of time. This 
security technique prevents entry into a system through that 
port and restores the availability of system resources. 
However, it also prevents a user behind the firewall from 
accessing the port that has been shut down. Hence, this 
security measure is unacceptable. 

Another problematic aspect of conventional firewall 
arrangements, from a security perspective, is the universal 
practice of combining a firewall with other packages on a 
same computing system. This arises in two situations. The 
first is where the firewall package, in and of itself, is a 
combination of applications. For example, Trusted informa- 
tion Systems' s recently released Gauntlet application is a 
combination Web server and firewall. The second situation 
is the aforementioned practice of hosting publicly accessible 
and/or unrelated services on a same computing platform that 
supports the firewall. The services sharing the platform with 
the firewall may include E-mail, Web servers, or even the 
system that the firewall is set up to protect (e.g., a database). 
This situation was discussed briefly above with respect to 
many companies' practice of grafting a firewall application 
onto their existing computer systems. 

The provision of applications on top of, or in addition to, 
the firewall on a computing system provides a path through 
which a hacker can get behind the firewall. This is done by 
using the unrelated applications to attack the firewall, or to 
directly connect with network elements being protected by 
the firewall. The firewall may fail to recognize the attack 
because the application being exploited by the hacker is 
authorized to communicate through the firewall. In addition, 
the firewall might not be able to protect against unexpected 
flank attacks from shared applications because it is set up 
specifically to monitor requests from a designated publicly 
accessible application. Alternatively, the shared application 
may be used to completely bypass the firewall and attack, or 
directly connect to, a protected network element. 

An example of a conventional firewall arrangement is 
depicted in FIG. 1. A host computer 100 communicates with 
a institutional computer system 106 over a public network 
102 through a router 104. A router is a network element that 
directs a packet in accordance with address information 
contained in the packet. The institutional computer system 
106 supports a variety of applications including a Web 
server 108, and an E-mail system 114. A firewall system 110 
also is hosted on the institutional computer 106 to protect a 
port 112 that connects an internal network 116 to the 
institutional computer system 106. The internal network 116 
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may support communication between internal terminals) other than those related to support of the firewall application 

118 and a database 120, possibly containing sensitive infor- (e.g., an operating system), are to be maintained on the 

mation. Such a firewall system 110, however, is subject to dedicated firewall box. 

attack in many ways. The firewall application running on the firewall box is 

A hacker operating the host computer 100 can utilize 5 comprised of a plurality of proxy agents. In a preferred 
publicly accessible applications on the institutional com- embodiment, individual proxy agents are assigned to des- 
puter system 106, such as the Web server 108 or the E-mail ignatcd ports to monitor, respond to and verify incoming 
system 114, to flank attack the firewall system 110 or access requests (i.e., incoming packets) received on the port, 
connect to the internal network port 112. The Web server Port management by the OS or port management programs 
108 or the E-mail system 114 may have authority to attach 10 is limited to simply assigning an appropriate proxy agent to 
to and communicate through the firewall system 110. The an incoming access request on a port. The assigned proxy 
hacker might be able to exploit this by routing packets agent immediately verifies the access request before a con- 
through, or mimicking these network elements, in order to nection is formed. Using simple verification checks, the 
attach to, attack, or completely bypass the firewall system proxy agent determines the authority of the access request, 
110. 15 quickly and efficiently discarding unauthorized requests 

Most conventional firewalls are transparent to packets without unduly burdening system resources. If the access 

originating from behind the firewall. Hence, the hacker may re q uest * authorized, the assigned proxy agent opens, and 

insert a source address of a valid network element residing thereafter manages, the port connection. In this way, the 

behind the firewall 110, such as the terminal 118, to a proxy agent is able to repel denial of service attacks without 

fictitious packet. Such a packet is usually able to pass 20 resorting to shutting down the port, 

through the firewall system 110. Alternatively, the hacker In a preferred embodiment, a proxy agent is assigned to 

can set the session_active bit in the fictitious packet to pass a request based on the service associated with an access 

through the firewall 110. The packet can be configured to request (e.g., the Telnet port number is indicated). Each 

contain a message requesting the establishment of a session proxy agent is thus protocol sensitive to the particular 

with the terminal 118. The terminal 118 typically performs 25 service requirements of an incoming request and can 

no checking, and assumes that such a session request is respond with appropriately formated messages. However, if 

legitimate. The terminal 118 acknowledges the request and the protocol of an access request is not configured in 

sends a confirmation message back through the firewall accordance with the protocol normally associated with that 

system 110. The ensuing session may appear to be valid to port, the request is discarded. If proper, the proxy agent can 

the firewall system 110. 30 then initiate a set of verification checks to ensure the 

The hacker can also attempt to attach to the port 112. A authority and authenticity of the access request, 

conventional application gateway system forms a connec- Verification tests performed by a proxy agent can involve 

tion to the port before the firewall 110 is invoked to verify any variety of checks, including, but not limited to: deter- 

the authority of the request. If enough connection requests 35 minations of valid destination addresses; determination of 

hit the port 112, it may be locked out for a period of time, valid user, or user/password information; validity of an 

denying service to both incoming request from the public access in view of the time period of the access; presence of 

network, and more importantly, denying access to the inter- executable commands within an access request; or any 

nal network 116 for outgoing messages. It is readily apparent combination of the latter, or like determinations. Such tests 

that conventional firewall systems, such as the one depicted 4Q are not performed in conventional firewall systems, 

in FIG. 1, are unacceptably vulnerable in many ways. Upon confirming the validity of an incoming access 

It is readily apparent that the design and implementation request, a proxy agent initiates the connection to a network 

of conventional firewalls has rendered them highly vulner- element indicated in the access request, or in response to a 

able to hacker attack. What is needed is a true firewall prompt issued to a user, on behalf of the incoming access 

system that overcomes the foregoing disadvantages and is 45 request. This has the effect of shielding the identity of 

resistant to hacker attack. network elements on each side of the firewall from a hacker 

who taps a connection on either side of the firewall. The 

SUMMARY firewall also can be used in combination with a packet 

The present invention overcomes the foregoing disadvan- filtering scheme to protect against IP spoofing and source 

tages by providing a firewall system that is resistant to 50 based routing, 
conventional modes of attack. A firewall in accordance with 

the present invention is a stand-alone system that physically BRIEF DESCRIPTION OF THE DRAWINGS 
resides between a point of public access and a network Thc forcgoingi and otherobjects, features and advantages 
element to be protected. A firewall arrangement in accor- of ^ t invention win be more ^ understood 
dance with the invention operates on a computing ^ platform 55 rcadi thc foUowing dctailc d description in conjunc- 
tly is dedicated to the operation of the firewall. Such a ^ with ^ dfawi . Q whicfa: 
dedicated firewall computing platform is referred to herein „^ , , . , 
as a "firewall box." The firewall box is connected to a FIG * 1 d ^ a computer network arrangement having a 
protected network element by a single connection. conventional firewall arrangement; 
Consequendy, any communication from a publicly acces- 6 o F1G ; 2 de P lcts an exemplary computer network arrange- 
sible network element to a protected network element must ment including a firewall arrangement incorporating the 
pass through the firewall box. A network element, or present invention; 

elements, to be protected by the firewall are connected to the FIG. 3 depicts another exemplary computer network 

backside of the firewall. arrangement including a firewall arrangement incorporating 

In a preferred embodiment the firewall box is a stand 65 the present invention; and 

alone computing platform dedicated to supporting a firewall FIGS. 4A and 4B depict a flow diagram depicting an 

application. No other applications, services or processes, exemplary process incorporating the present invention. 
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DETAILED DESCRIPTION 

FIG. 2 depicts a block diagram of an exemplary system 
incorporating the invention. Network elements in the form 
of a terminal 216 and a secure database 218 are connected 
to an internal network 214 that is protected behind a firewall 
210. The connection 212 between the internal network 214 
and the firewall 210 is preferably the only connection 
between these two elements. A publicly accessible comput- 
ing system is connected to a public network 202 through a 
router 204. A connection 208 between the firewall 210 and 
the publicly accessible computing system 206 is preferably 
the sole connection between the firewall 210 and the pub- 
licly accessible system 206. By providing the firewall 210 in 
this stand alone configuration, any and all access from the 
public network 202 to the internal network 214 must go 
through the firewall 210. Hence, a user operating a host 
machine 200 who attempts to access the internal network 
214 via the public network 202 must go through the firewall 
210. This arrangement is more robust than conventional 
firewall systems that are susceptible to being bypassed either 
physically or through applications sharing the firewall com- 
puting platform. 

In preferred embodiments of the invention, the firewall 
210 runs on a dedicated firewall box. That is, the computer 
upon which the firewall 210 is running, is dedicated to the 
firewall application. The processes, programs and applica- 
tions running on the firewall computing platform are those 
involved with firewall processes, or their support (i.e., the 
computer's operating system). Consequently, there is 
reduced risk of the firewall being bypassed through appli- 
cations sharing the firewall's computing platform. The addi- 
tion of other, unrelated, applications to the firewall box 
merely compromises the integrity of the firewall. 

The firewall 210 application is comprised of a variety of 
access request validation programs referred to herein as 
"proxy agents." Proxy agents investigate incoming requests 
that seek to access network elements residing behind the 
firewall 210. The nature of incoming access requests can 
vary according to a particular port, or service (e.g., HTTP, 
Telnet, File Transfer Protocol (FTP)) that the incoming 
request seeks to attach to. Accordingly, the firewall 210 
application assesses the characteristics of an incoming 
request and assigns an appropriate proxy agent tailored to 
the particular protocol and verification requirements of that 
incoming access request. In a preferred embodiment, there is 
a designated proxy agent for each port. The proxy agent 
assigned to a port performs all of the verification processes 
and management of the port without involving the operating 
system, or a port manager (as in conventional systems). 
Because it is dedicated to a particular port, a proxy agent is 
capable of providing a more efficient handling of an incom- 
ing request from both a protocol and a verification stand- 
point. The proxy agent makes an immediate verification 
check of an access request before initiating a port connec- 
tion. If the access is deemed suspect, it is immediately 
discarded The use of proxy agents is more efficient than 
conventional chained processes involving OS based verifi- 
cation routines and port management programs that are 
generic to incoming access requests. By immediately check- 
ing for and discarding suspect packets, the proxy agent is 
capable of resisting denial of service attacks without having 
to shut down the port. 

In accordance with another aspect of exemplary embodi- 
ments of the invention, a proxy agent can include a tailored 
set of verification tests. The rigorousness of the tests can be 
dictated by the characteristics of the access request. For 
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instance, the source address of an access request can be 
investigated to determine whether the request is suspect or 
credible. An inherently reliable request may require only a 
minimum of verification before being connected. While a 

5 suspect request may require enhanced verification. Access 
request verification can include analysis of: source host 
machine and source user information; destination host 
machine and destination user information; and/or time of 
day analysis. These or other tests can be interactive in nature 

10 and prompt a source user to enter user/password informa- 
tion. In some cases a user may be required to enter a valid 
destination machine address or ID. In accordance with 
exemplary embodiments of the invention any combination 
of the foregoing, or other, tests can be performed by a given 

15 proxy agent depending on the verification requirements of a 
particular incoming access request. 

A more detailed depiction of an exemplary system in 
accordance with the present invention is shown in FIG. 3. 
The figure illustrates a network scenario involving commu- 

20 nication over a public network 306, such as the Internet. An 
institutional service provider 310 is attached to the public 
network 306 through a router 308. The institutional service 
provider 310 has a publicly accessible network 312. A user 
300 operating a host computer 302 can access the publicly 

25 accessible network 312 through the public network 306 (via 
routers 304 and 308, respectively). 

The institutional service provider 310 may be an ISP that 
develops software on internal computers 324 and 326 for 
distribution and sale. Free software can be supplied to users 

30 who access a public Web server 314 on the internal, publicly 
accessible, network. The institutional user 330 also may 
provide information about its products or services by estab- 
lishing a home page on the publicly accessible Web server 
314. The publicly accessible network 312 also may have a 

35 public E-mail system 316. Authorized subscribers may be 
permitted to access proprietary software offered on a pro- 
tected Web server 322 by accessing the institution's internal 
network 328. The internal network 328 also can have a 
secure E-mail system 320 for internal communication. The 

40 internal network 328 is protected from public access by a 
firewall 318 incorporating the present invention. 

The firewall 318 permits the internal network 328 to be 
attached to the public network 306 (through the publicly 

45 accessible network 312) without rendering the secure net- 
work 328 open to public access. The firewall 318, in 
accordance with preferred embodiments of the invention, 
physically separates the publicly accessible network 312 
from the internal network 328. Consequently, all communi- 

5Q cations attempting to access the internal network 328, or any 
network elements attached thereto, must pass through the 
firewall 318. To secure it from direct (i.e., keyboard) access, 
the firewall 318 is preferably maintained in a secure location 
on the premises of the institution 310. 

55 The firewall 318 can run on a general purpose computer. 
Such a computer, in accordance with preferred 
embodiments, is a stand alone machine, or firewall box, 
dedicated to the firewall application. The addition of other 
programs to the firewall box merely undermines the strength 

60 of the firewall 318. Such additional programs can be used to 
bypass, or attach to and attack the firewall 318. 

The firewall application comprises a plurality of proxy 
agents that are assigned to investigate and handle an incom- 
ing access requests. A proxy agent is preferably assigned in 

65 accordance with a port number designation indicated in a 
request. The assigned proxy agent processes the access 
request, forms the connection, if verified, and manages the 
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completed connection. A designer can dictate what set of 
verification tests are to be run on a particular incoming 
request. For instance, an assigned proxy agent can first 
check to ensure that the protocol of the access request 
matches that of the indicated port. If there is a discrepancy, 
the request is denied. A next check can involve investigation 
of a source address (i.e., the host machine from which the 
access inquiry originated) of the access request. This permits 
the proxy agent to make an initial assessment of the authen- 
ticity of the request. If a particular source has a higher 
probability of generating suspect packets (e.g., an unknown 
university computer) a proxy agent can optionally invoke a 
more rigorous series of verification tests. However, if the 
source is inherently secure (e.g., a firewall protected 
machine at a company's headquarters communicating with 
their R&D site) the proxy agent might proceed directly to 
connecting the incoming request with a destination host 
machine. Once the source is determined, the proxy agent can 
run an appropriate combination of verification checks suited 
to the integrity of the request as indicated by its source. In 
the event that a legitimate user is accessing a protected 
network element using suspect computer (e.g., a visiting 
professor logging on to a university's host computer rather 
than his or her office computer) it may be advantageous to 
allow such a user through, but only after a more rigorous set 
of interactive verification tests. However, the packet source 
address need not necessarily dictate the particular combina- 
tion of verification tests performed by the proxy agent. A 
proxy agent can have a fixed set of verification tests based 
on the port designation. The particular selection of verifi- 
cation checks is discretionary. Several such checks are 
described below. 

Source address verification can be based on a check of the 
validity of on or more specific addresses, or, on a range of 
address values (e.g., the first octet has a value of between 
zero and 100). Such a check involves a determination of 
whether a host source address of an incoming packet com- 
ports with a list of authorized or unauthorized addresses, or 
is within a designated range. If the source address is not on 
the list, the packet is discarded. Referring back to FIG. 3, in 
the event that the external user 300 attempts to contact a 
network element behind the firewall 318, the proxy agent 
can check the source address of the host computer 302. If the 
proxy agent determines that the host computer 302 does not 
have an authorized address, the request originating from the 
host computer 302 is discarded. 

A second check can be used to determine the authority of 
an access request based on the identity of a user seeking to 
gain access. This may involve interactively prompting the 
user 300 to enter either a user name, or a user/password 
combination. Because the proxy agent is protocol sensitive, 
it is designed to issue prompts in accordance with the format 
indicated by the port number of the incoming access request. 
A particular user may have limited access, in which case the 
user may be prompted to enter the address of the destination 
machine to be accessed. If the proxy agent determines that 
the user is not authorized to access the requested destination 
machine, the user can be re-prompted to enter another 
destination machine, or the request can be discarded alto- 
gether. 

A third check can be performed to determine whether the 
time period during which an access request is being made is 
authorized in and of itself, or for a particular user, source 
address, or destination address indicated in the request. For 
example, the check can permit access to a certain class of 
network elements during certain periods (e.g., between 7:00 
am and 5:00 p.m. U.S. pacific standard time). The time 
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period check can include any combination of time of day, 
day of week, week of month, month of year, and/or year. 

A fourth check can be invoked to determine whether the 
destination address indicated by an access request is autho- 

5 rized. This check can be performed by examining packet 
destination address information, or possibly by prompting a 
user to enter the information. For example, in File Transfer 
Protocol (FTP) requests, the user may be required to enter 
the destination address (e.g., "usemame@host") in response 

10 to a prompt generated by the assigned proxy agent. 

A proxy agent can also run tests that intercept and discard 
any messages that attempt to initiate a process on the firewall 
318 itself. For example, a conventional system having 
bundled applications may include an application such as 

15 SendMail. SendMail, in addition to providing mail delivery, 
also contains features for collecting and tracking source and 
destination information of mail messages. The information 
derived by a hacker through execution of such SendMail 
commands can be used to gain access to secure network 

20 elements. Hence, a proxy agent in accordance with the 
invention can include, within its set of tests, a check for 
ferreting out and discarding packets having nested execut- 
able commands. A firewall incorporating the invention can, 
however, facilitate the communication of normal electronic 

25 messages. Hence, valid mail can be passed through the 
firewall 318 to an internal E-mail system 320 if otherwise 
authorized. 

The checks described do not represent an exhaustive list 
of available verification checks. They merely represent a 

30 variety of access validation checks and are described to 
assist in describing exemplary embodiments of the inven- 
tion. The particular combination of tests is discretionary. 
Other checks can be added as deemed fit or necessary for a 

35 particular scenario. 

After a proxy agent successfully completes its set of one 
or more verification tests, the proxy agent initiates a con- 
nection request to the destination machine (and port) on 
behalf of the incoming access request. The purpose of this 

40 practice is to maintain anonymity on each side of the 
firewall. A party tapping either of the connections entering 
or exiting the firewall only "sees" the elements on each side 
of the tap, but not those beyond the tap. 

In accordance with another aspect of exemplary embodi- 

45 ments of the invention, security is supplemented by per- 
forming packet filtering on incoming access request packets. 
Such packet filtering can be provided either by the operating 
system of the firewall box, or by a router, such as router 308. 
In accordance with preferred embodiments, the packet fil- 

50 tering is directed to eliminating source based routing. 
Therefore, the packet filter maintains a list of addresses 
corresponding to network elements residing behind the 
firewall 318. If any incoming access request has a source 
address of a network element behind the firewall 318, that 

55 packet will be intercepted and discarded. 

FIGS. 4A and 4B depict a flow diagram of an exemplary 
process for analyzing an access request received at the 
firewall 318 of FIG. 3. The process described is merely 
exemplary, and any combination of checks or steps may be 

60 performed in accordance with a selected combination of 
checks. Furthermore, the order of step execution can be 
altered as needed for a particular scenario. 

Consider the situation where the user 300 in FIG. 3 is 
authorized to access the Web server 322 that resides behind 

65 the firewall 318. To access the Web server 322, the user 300, 
operating the host computer 302, first logs onto to a public 
network (step 400), that is compatible with TCP/IP proto- 
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cols. To access the Web server of the institution 310, the user denied (step 434). An additional proxy agent check can 

300 enters an appropriate address (step 402), such as determine whether the particular network element to which 

"http:Wwebwho.com", The access request is received by a the user 300 is attempting to gain access to is available to the 

router 304 which forwards the message to the Internet 306. particular user (step 436). If not authorized, the access 

The Internet may forward the message through a series of 5 request is denied (step 438). 

routers and present it to a router 308 that services the if after the proxy agent has completed its set of tests it is 

institution 310. determined that the access request is authorized, the proxy 

Because the access request seeks to access a destination agent initiates a connection to the Web server 322 on behalf 

address residing behind the firewall 318, the access request of the source machine 300 (step 440). Because the firewall 

message is presented to the firewall 318 (step 404). In 10 forms a connection (using a proxy agent) following the 

accordance with an exemplary embodiment, a proxy agent completion of validation checks associated with the proxy 

running on the firewall 318 is assigned to the access request agent's test set, the firewall functions as a Bastion host, or 

in accordance with a preliminary analysis of the port number firewall server, on behalf of the access request source. By 

designation within the packet representing the access request using the firewall as a Bastion host, or firewall server, to act 

(step 406). In this case, port number 80 (HTTP) would 15 on behalf of the user accessing the secure network 328, the 

ordinarily be designated in the request. The assessment also identity of internal network elements is not revealed because 

can involve a determination of whether the service indicated the firewall 318, acting as an intermediary, shields the 

by the port number comports with the contents of the request identity of the network elements for whom it is acting on 

(step 408). That is, does the request indicate one service behalf of. All the external user sees, in terms of addresses, 

(port number) while being formatted for another. If there is 20 is the firewall. If an internal connection is tapped onto, a 

disparity, the access is denied (step 410). valid source address or user identity is not available to the 

The proxy agent can then analyze a source address to hacker as the firewall 318 appears to be the source of the 

determine whether the host computer 302 from which the connection. Hence, a firewall arrangement in accordance 

message originated is authorized to access the secure Web with the invention provides two-way transparency, 

server 322 (step 412). As described above, this check can be 2 s Another aspect of an exemplary embodiment of the 

used to optionally invoke a more rigorous set of verification invention involves sending an "out-of-band" system mes- 

checks if the source is unknown or suspect. This assessment sage in response to a useraame or username/password 

can involve a comparison of the source address with a list of combination provided by a user. Such a system involves 

authorized or unauthorized addresses maintained by the communicating a password, or password portion, back to a 

proxy agent (step 414). In the exemplary case here, if the 30 user on a communication medium other than the computer 

source address is not authorized (i.e., the source address is network being used. The user enters the information 

not on the list), the access request is denied (step 416). The received by out-of-band means to complete a logon process, 

extent to which a proxy agent verifies the validity of an For example, a user can be prompted to enter their username 

access request can vary. It should be noted that in some and the first half of a password. The system receiving this 

cases, a proxy agent may need do little more than verify 35 information, upon verifying it, sends back the remaining half 

address information before initiating a connection to the of the password to the user by automatically generating a 

destination device on behalf of the source host. phone call to a beeper provided to the user. The beeper's 

Alternatively, if a source address is suspect, or a proxy display indicates the remaining password portion which is 

agent's set of checks is fixed, the proxy agent can perform then entered by the user to complete the logon. The identity 

additional checking. 40 of the user is thereby authenticated. A hacker does not 

In the present exemplary scenario the access request possess the means to receive the out-of-band response (i.e., 

message is further analyzed to determine whether the access the beeper). The password, or password portion sent back to 

request is being received during an authorized time period, the user by out-of-band means can be a random number 

such as a time of day (step 418). If the time of day during generated by the firewall system. 

which the access request is received is not authorized, the 45 Another aspect of exemplary firewall systems operating in 

connection request is denied (step 420). The time of day accordance with the invention is that all processes, including 

assessment can be tailored for specified users, source host proxy agents, running on the firewall, operate in a "daemon 

machines, and/or IP addresses. For example, to prevent mode." When a computer operating system receives a 

evening hacking by users in Canada, North, and South request to perform a task it will open up a job and designate 

America, such users may be denied access other than during 50 a corresponding job number in order to provide and manage 

normal U.S. business hours. A user in India, however, resources associated with that job. When the task is com- 

operating during Indian daylight hours, may be allowed to pleted the operating system designates the job for closure, 

access the system during U.S. evening hours. However, the actual closure of the job and removal of the 

A proxy agent also can assess whether user or user/ correspond! ng job number does not always take place imme- 

password information is necessary to gain access (step 422). 55 diately because it is considered to be a low priority task. This 

If not, the proxy agent can initiate the connection (step 424). occasionally leaves an idle job open on the system awaiting 

If the information is required, the proxy agent prompts the closure. Hackers have learned that they can exploit such an 

user with an appropriately formatted message to enter a idle job, reactivate its status, and access resources available 

username and/or password information (step 426). The user to the job. By operating in a daemon mode, the operating 

name and/or password information is checked (step 428). If 60 system of the firewall box immediately shuts down jobs 

an unauthorized user name is entered, or the password is following the completion of designated tasks, 

invalid, the access request is denied (step 430). If a valid When a computer upon which the firewall is running is 

user name, or user/password combination is entered, the operating in a UNIX environment, there are UNIX-specific 

proxy agent can make further assessments, if deemed nec- security measures that can be invoked. One such security 

essary or appropriate, to determine whether the host machine 65 measure is the "changeroot" feature. A "root" user is a user 

302 is authorized to access the particular destination (e.g. having high levels of access to files branching from a "root 

Web server 322) (step 432). If not authorized, the access is directory." If a hacker can access a root directory, the hacker 
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may be able to access the files hierarchically emanating from 
the root directory. In accordance with another aspect of a 
secure database system incorporating the present invention, 
all jobs running on the firewall system and on the secure 
database system are preceded by a "changeroot" command 5 
to change the identity of the root directory. A new root 
directory is created by execution of this command that can 
be used for transaction-specific purposes. This new directory 
does not have access to any of the original file directories 
branching from the original root directory. Consequently, if jQ 
a hacker is able to access information associated with a job, 
corresponding root directory data will be useless. 

Another aspect of a system in accordance with the inven- 
tion is the use of aliases by the firewall when addressing 
machines residing behind the firewall. A machine behind the 
firewall can be addressed by the firewall according to an 
alias of its actual IP address. Hence, if a hacker is somehow 
able to tap the firewall, any addresses detected by the hacker 
corresponding to machines attached to the backside of the 
firewall will be fictitious. 20 

An additional security feature that can be provided in the 
firewall system is a transaction log. Such a log gathers 
information associated with any access request message 
seeking to connect to or inquire about network elements 
residing behind the firewall. Information gathered in such a 25 
transaction log may include, but is not limited to, the source 
address (what is the identity of the machine from which the 
request originated), the IP address (which Internet port 
system did the request originate over), the destination 
address (who is the request trying to reach), time of access, 30 
and/or the identity of user (who is using the source 
machine). This information can facilitate the identity of a 
hacker if the hacker's activities require legal attention. 

The exemplary scenarios described above are directed 
primarily to situations where outside users are attempting to 35 
access network elements residing behind a firewall. It should 
be noted, however, that a firewall in accordance with the 
present invention also can be utilized to monitor and control 
packet traffic originating from behind a firewall, allowing 
and disallowing connection based upon predetermined rules. 40 
Hence, a firewall incorporating the invention also can be 
used to control what, where, who, how and when a user 
behind the firewall can access the outside world. This can be 
done in addition to monitoring and controlling incoming 
traffic . 45 

Because exemplary embodiments involve the operation of 
computing systems, an exemplary embodiment of the inven- 
tion can take the form of a medium for controlling such 
computing systems. Hence, the invention can be embodied 
in the form of an article of manufacture as a machine 50 
readable medium such as floppy disk, computer tape, hard 
drive disk, CD ROM, RAM, or any other suitable memory 
medium. Embodied as such, the memory medium contains 
computer readable program code which causes a computing 
system upon which the firewall system is running to function 55 
or carry out processes in accordance with the present inven- 
tion. 

An exemplary application of the invention has been 
described protecting an internal network. However, one 
skilled in the art will readily appreciate and recognize that 60 
the firewall system or method of operation in accordance 
with the invention can be applied in any scenario requiring 
the protection of network elements that are attached to a 
publicly accessible medium, such as the Internet. The inven- 
tion provides the benefit of attaching a system to a public 65 
network with reduced apprehension of that system being 
compromised over the public network. 
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The invention has been described with reference to par- 
ticular embodiments. However, it will be readily apparent to 
those skilled in the art that it is possible to embody the 
invention in specific forms other than those of the embodi- 
ments described above. Embodiment of the invention in 
ways not specifically described may be done without depart- 
ing from the spirit of the invention. Therefore, the preferred 
embodiments described herein are merely illustrative and 
should not be considered restrictive in any way. The scope 
of the invention is given by the appended claims, rather than 
by the preceding description, and all variations and equiva- 
lents which fall within the range of the claims are intended 
to be embraced therein. 

What is claimed is: 

1. A firewall system for protecting a network element 
from access over a network to which the network element is 
attached, the firewall system comprising: 

a firewall box comprising a stand alone computing plat- 
form; 

a first connection connecting the firewall box to the 
network element; and 

at least one proxy agent running on the firewall box for 
verifying that an access request packet received over 
the first connection is authorized to access the network 
element, the at least one proxy agent initiating a con- 
nection to the network element on behalf of the access 
request if the access request is authorized, wherein the 
at least one proxy agent verifies that a time period 
during which an incoming access request is received is 
valid. 

2. A firewall system for protecting a network element 
from access over a network to which the network element is 
attached, the firewall system comprising: 

a firewall box comprising a stand alone computing plat- 
form; 

a first connection connecting the firewall box to the 
network element; and 

at least one proxy agent running on the firewall box for 
verifying that an access request packet received over 
the first connection is authorized to access the network 
element, the at least one proxy agent initiating a con- 
nection to the network element on behalf of the access 
request if the access request is authorized; 

wherein the at least one proxy agent performs a Change- 
root command prior to processing an incoming access 
request. 

3. A firewall system for protecting a network element 
from access over a network to which the network element is 
attached, the firewall system comprising: 

a firewall box comprising a stand alone computing plat- 
form; 

a first connection connecting the network to the firewall 
box; 

a second connection connecting the firewall box to the 
network element; and 

at least one proxy agent running on the firewall box for 
verifying that an access request packet received over 
the first connection is authorized to access the network 
element, the at least one proxy agent initiating a con- 
nection to the network element on behalf of the access 
request if the access request is authorized, wherein the 
at least one proxy agent prompts the user to enter a user 
name and a password and verifies that a user associated 
with an incoming access request is authorized to access 
the network element, and upon receiving and verifying 
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the user name and password, communicates a second the authority and time period of the incoming access 

password to the user using a communication channel request is verified. 

other than the computer network being used to initiate 7. The firewall system as in claim 1, 2, 3, wherein the 

the connection, which second password is to be entered firewall box is dedicated to a firewall application. 

by the user to advance a logon process. 5 8* The firewall system as in claim 1, 2, or 3, wherein the 

4. A firewall method for protecting a network element firewa11 box is a g eneral Purpose computer. 

from unauthorized access over a network to which the „ 9. The firewaU system as in claims 1, 2, or 3, wherein the 

network element is attached, the method comprising the ^f 11 b ° x executes a P lurah }y of P ro3 V agents each of the 

steps of* plurality of proxy agents configured to verify the incoming 

.... „ access request in accordance with a port number indicated in 

receiving an incoming access request; io an .^.^ 

assigning a proxy agent to the incoming access request m 10 ^ firewal i system ^ in claims i 2> or 3, wherein the 

accordance with a port number indicated in the incom- at ] east one proxy agent verifies that a source address 

ing access request; associated with an incoming access request is authorized to 

verifying the authority of the incoming access request to ^ access the network element. 

access the protected network element; 11. The firewall system as in claims 1, 2, or 3, wherein the 

forming a connection to the network element via the at least one proxy agent verifies that an incoming access 

proxy agent on behalf of the incoming access request, request contains no executable commands directed to the 

if the authority of the incoming access request is firewall box. 

verified 20 12. The firewall system as in claims 1, 2, or 3, wherein the 

wherein the step of verifying the authority of the incom- at least one proxy agent verifies that a destination associated 

ing access request includes: wi tn an incoming access request is valid, 

determining the identity of a source of the incoming 13. The firewall system as in claims 1, 2, or 3, wherein the 

access request; at ^ east one proxy agent verifies that a destination indicated 

initiating a first set of verification checks in response to 25 in an incoming access request is valid for a user associated 

a first identified source; and with the incoming access request, 

initiating a second set of verification checks in response 14- The firewall system as in claims 1, 2, or 3, wherein the 

to a second identified source. at least one proxy agent addresses the network element 

5. A firewall method for protecting a network element according to an alias. 

from unauthorized access over a network to which the 30 15. The firewall system as in claims 1, 2, or 3, wherein the 

network element is attached, the method comprising the at least one proxy agent manages the connection the network 

steps of: element. 

receiving an incoming access request; 16 - ^ firewaU svslem M in clai . ms 2 > or 3 > wherein lhe 

. . it »t_- ■ * ■ at least one proxy agent operates in a daemon mode, 

assigning a proxy agent to the incoming access request in ^ £ n * • i • * ^ \. 

j * i * _* , • ( j • 1f 17. The firewall system as in claims 1, 2, or 3, wherein an 

accordance with at least a port number indicated m the 35 / ' ' ' 

. r operating system or the firewall box performs packet filter- 
incoming access request; . r b } r r 

verifying the authority of the incoming access request to m \ g The firewall tem as k daims j 2 0f 3> tothcr 

access the protected network element; and thereafter comprising- 

forming a connection to the network element via the A router attached between the firewall box and the public 

proxy agent on behalf of the incoming access request if network, which router performs packet filtering. 

the authority of the incoming access request is verified; 19 The firewal , system ^ in claims x 2> or 3 further 

wherein the step of verifying the authority of the incom- comprising: 

ing access request includes: a transaction log for recording information regarding an 

verifying that a user associated with the incoming ^ access request, 

access request is authorized to access the network 20 The firewall system as in claims 1 or 2, wherein the 

element; at j eaS £ one p roxv a gent prompts the user to enter a user 

checking the accuracy of a first password associated namc and vcrifies thc ^ namc cntcrcd . 

with the incoming access request; and, 2 1. The firewall system as in claim 3, wherein the second 

communicating a second password to the user using a 5Q password & a ran dom number. 

communication channel other than the network 22 ^ fi reW all system as in claim 3, wherein the 

connection, which second password is to be entered communication channel is a beeper. 

by the user to advance a logon process. 23. The firewall method as in claims 4, 5 or 6, wherein an 

6. A firewall method for protecting a network element ass j g ned proxy agent is selected from a plurality of proxy 
from unauthorized access over a network to which the $$ agents> each of lhe p i uralily of proxy agents configured to 
network element is attached, the method comprising the verify the incoming access request in accordance with a port 
steps of: number indicated in an incoming access request. 

receiving an incoming access request; 24. The firewall method as in claims 4, 5 or 6, wherein the 

assigning a proxy agent to the incoming access request in step of verifying the authority of the incoming access 

accordance with a port number indicated in the incom- 60 request includes: 

ing access request; using the at least one proxy agent to verify that a source 

verifying the authority of the incoming access request to address associated with an incoming access request is 

access the protected network element; authorized to access the network element, 

verifying that a time period during which an incoming 25. The firewall method as in claims 4, 5 or 6, wherein the 

access request is received is valid; and 65 method further comprises the steps of: 

forming a connection to the network element via the using the at least one proxy agent to prompt the user to 

proxy agent on behalf of the incoming access request if enter a user name; and 
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verifying the authority of the user name entered. 

26. The firewall method as in claims 4, 5 or 6, wherein the 
method further comprises the steps of: 

using the at least one proxy agent to prompt the user to 

enter a user name and a password; and 
verifying the authority of the user name and password 

entered. 

27. The firewall method as in claims 4, 5 or 6, wherein the 
step of verifying the authority of the incoming access 
request includes: 

verifying that an incoming access request contains no 
executable commands. 

28. The firewall method as in claims 4, 5 or 6, wherein the 
step of verifying the authority of the incoming access 
request includes: 

verifying that a destination associated with an incoming 
access request is valid. 

29. The firewall method as in claims 4, 5 or 6, wherein the 
step of verifying the authority of the incoming access 
request includes: 

verifying that a destination indicated in an incoming 
access request is valid for a user associated with the 
incoming access request. 
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30. The firewall method as in claims 4, 5 or 6, wherein the 
step of forming a connection to the network element on 
behalf of the incoming access request includes: 

addressing the network element according to an alias. 
s 31. The firewall method as in claims 4, 5 or 6, wherein the 
at least one proxy agent operates in a daemon mode. 

32. The firewall method as in claims 4, 5 or 6, wherein the 
method further includes the step of: 

having the at least one proxy perform a Changeroot 
command prior to processing an incoming access 
10 request. 

33. The firewall method as in claims 4, 5 or 6, wherein the 
method further includes the step of 

performing packet filtering on the incoming access 
request. 

15 34. The firewall method as in claims 4, 5 or 6, further 
comprising the step of: 

maintaining a transaction log for recording information 
regarding an access request. 

35. The firewall method as in claim 5, wherein the second 
20 password is a random number. 

36. The firewall method as in claim 5, wherein the 
communication channel includes a beeper. 

* * * * * 
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